In this age of cyber breaches and sensitive data leaks, keeping your personal and commercial information safe has never been more important. What’s more, the security of our data is perhaps more vulnerable than ever as most of it is now stored on our mobile devices.
With that in mind, it’s easy to see the absolute necessity of keeping them as secure as possible. However, the ultimate security would require you to disable all the wireless modules of your device. Additionally, you’d have to set up a 20-character password with letters, numbers, and special characters.
There’s a reasonable balance between data security and convenience on your Android devices.
The goal of this overview is to find a reasonable balance between data security on an Android device and the convenience of everyday use. If you think that you’re a target for a spearfishing cyberattack, you’d probably be better off following the advice from the paragraph above; for the rest of us, the 10 suggestions below should be plenty to allow us to stay safe.
#1. Look at the brand and hardware
Several things we’re going to talk about below, including firmware issues and authentication methods, depend heavily on the implementation in a particular smartphone. For example, cheaper devices may not have special additional cameras and depth sensors for FaceID, which could make it possible to fool them by a photo or simple mask.
If device security is important to you, make sure that you understand the relevant specifications before purchasing. Another obvious recommendation is, of course, to avoid buying from lesser-known brands (think Leagoo, Doogee, or Homtom) or shady sellers — saving a couple of hundred dollars isn’t usually worth the risk.
#2. Check the firmware
Although normally you’d expect to receive proper original firmware when buying a new device, it’s not unheard of for the store to install software of its own on a smartphone before selling it. The store rarely does it with purely malicious intent. Sometimes it could be localized firmware for the target market, sometimes the seller wants to earn extra money with bloatware, and so on.
Anyway, having non-original firmware is a security threat. Not only do you not know what’s hidden there, but you also usually miss important security updates for your device. Therefore, it’s always a good idea to download original firmware from the manufacturer’s website and install it after obtaining a new device. It’s a sensible thing to do with a new smartphone and a must if you buy a used item.
#3. Choose your authentication methods
Any decent Android smartphone these days comes with a range of authentication methods built-in. In most cases, you’d be offered to choose from a password, PIN code, screen pattern, fingerprint, and FaceID.
Let’s assume you’ve read the first section of this overview carefully and got a phone where all authentication methods are implemented correctly. Which should you choose then?
From a security standpoint, a long, unique password is the best authentication method. The problem is, however, that entering it more than 100 times a day (yes, that’s how often we check our phones) isn’t convenient at all. PIN codes and patterns, however, can be guessed relatively easily. In addition to that, it’s quite easy to extract a pattern from a CCTV recording, even if its quality is very low.
With that in mind, fingerprint and/or FaceID are a good balance between security on your device and convenience. Keep in mind, however, that even some of the best implementations of those can be fooled by 3D-printed models or sleeping people. Also, make sure you set up a reasonably complex and unique password as the backup authentication method.
#4. Make sure you encrypt your device
An important step in securing data on your smartphone or tablet is encrypting it. The idea here is that the whole storage of the device gets encrypted every time the phone is locked. The encryption makes it next to impossible to recover the information without unlocking the device.
To turn on the encryption, set up your authentication methods first. Then go to Settings — Encryption and Credentials, and tap Encrypt phone. (The exact names of menu items may vary on different phones, but you get the idea.) The initial encryption process may take up to an hour. And afterward, you probably won’t be able to notice any change in the performance of the device.
#5. Do you need antivirus? It depends
For the experienced Windows users among us, having an antivirus installed on every device sounds like an obvious security measure. However, on mobile devices, it might not be as useful as it is on a PC.
First of all, there’s no way an antivirus suite can work on a mobile device in the same way as it does on a PC, always monitoring everything that’s going on in the system and periodically scanning the storage. This kind of operation would deplete the battery in a few hours.
As a result, a mobile antivirus would normally only scan the apps as they’re installed on the device. This functionality is superficial, however, if you only install applications from the Play Store. Google has a protection system of its own. This system makes sure both the app and the device are not infected by known malware.
In summary, it only makes sense to have a third-party antivirus if you, for any reason, often need to install applications from outside of trusted app stores. In that case, look for the software coming from companies with experience in fighting malware on desktop platforms that have built a reputation and trust over the years.
#6. Get a password manager
Just like on a desktop, a good mobile password manager is your friend. A human can’t possibly remember more than a few secure passwords, which leads either to password re-use on different services or the setting of insecure passwords, both of which put data security in serious jeopardy.
With a password manager installed, you’d only need to remember one master password that unlocks the storage. That way, all the passwords you use elsewhere can be different and secure. Most password managers on the market these days offer a mobile version. You can choose the one you like and keep it handy on your home screen.
#7. Set up always-on VPN with a whitelist
Setting up a secure connection through a VPN server is certainly one of the best information security practices. Simply speaking, any data you send to or receive from the Internet would be routed through an additional server. This is a good way to improve privacy, especially when using public Wi-Fi networks.
This brings us to the always-on VPN option that’s available on Android. Generally speaking, you don’t need VPN at home or when browsing on a mobile network (provided you trust its operator). However, there’s a way to make things work optimally using a whitelist. The latter option is available through most VPN clients and allows you to choose trusted Wi-Fi and mobile networks where a VPN connection isn’t necessary. On all other networks, VPN would turn on automatically.
#8. Turn off USB debugging
You shouldn’t have it on in the first place if you’re not a mobile developer. Simply speaking, USB debugging is a special mode in which your phone allows access to certain parts of its storage when connected via USB to a computer.
When you have this option on, it’s a security risk for your device. To change it, you need to so go to Settings — Developer options, and check that USB debugging is turned off. This won’t affect your ability to connect your phone to a PC to copy files or tether the Internet connection.
#9. Disable location tracking if necessary
Having your location data accessible for various apps and services on your phone — from navigation to ordering takeaway — is often very convenient. In some cases, however, you may want to make sure this data is not being accessed, collected and stored anywhere. This would be a sensible thing to do when the location itself gives up sensitive data about you, like a hospital, or entertainment venue, or even a certain city or country.
In order to block geopositioning as much as possible without actually turning off the phone, follow these two steps.
First, turn off system-level location tracking and make sure no apps have the permissions to access your location data. Head to Settings — Security to do the former and Settings — Apps — App permissions — Location to do the latter. The reason to do both of these steps is to make sure you won’t accidentally allow any app to access your geopositioning data from a dialogue window.
Second, don’t use Wi-Fi, and set up a VPN killswitch. Even with GPS location tracking off, any app could theoretically use your external IP address and/or the names of Wi-Fi networks in the vicinity to figure out your location, often with GPS-like precision. To avoid that, keep your Wi-Fi module off and your VPN client on. As an additional precaution, most VPN clients offer a killswitch option. It means that any traffic that’s not going through a VPN would be automatically blocked.
#10. Use hardware 2FA
Hardware-based two-factor authentication (2FA) is arguably the most failsafe way to protect your accounts in various apps and online services. While traditional 2FA used to rely mostly on one-use passcodes delivered via text messages, SIM swapping has made it extremely insecure.
Another traditional implementation of 2FA is via a mobile app like Google Auth. However, if you lose or break your phone, it can be very complicated to set it up again.
With a hardware key, you can authorize online by connecting the key to your device via NFC, USB-C, or Lightning port. If you lose your phone, you can still use your key for authentication on another one. If you lose the key itself, removing it from your online accounts only takes a few clicks.
Let’s sum things up. It is certainly possible to make your Android device reasonably secure without making everyday use extremely inconvenient. Generally speaking, you can avoid most of the threats by only downloading apps from trusted sources, choosing a secure authentication method, and using a VPN when on public Wi-Fi. Following the rest of the recommendations of this overview will make you an extremely hard target for any malicious actor.
Image Credit: bongkarn thanyakij; Pexels